Earlier this month, we shared with you how the Internal Revenue Service (IRS), despite making more concerted efforts to combat attempted identity theft and tax fraud, was the victim of a data breach this summer, one that left the personal data of about 330,000 taxpayers compromised. Now those taxpayers are fighting back with a class action lawsuit levied against the federal agency.
In May, the IRS announced that the tax return data of approximately 100,000 households was accessed by a group of hackers who had breached the “Get Transcript” web portal. The system, designed as a convenient source for taxpayers to use in order to refer back to previous years’ returns, was compromised earlier this year when hackers were able to bypass a security checkpoint. By doing so, they were able to get their hands on a treasure trove of personal information, including birth dates, street addresses, tax filing statuses and Social Security Numbers. When the IRS disclosed the incident to the public, it (understandably) came under fire for essentially creating a system that was meant to safeguard tax filers’ information but ended up doing just the opposite.
But even more distressing was when the IRS amended its statement this month, adding that, upon further investigation, the actual number of victims was more than triple what it initially estimated. Although those first 100,000 household tax records had shown definitive proof of being stolen by cyber criminals, investigators said that another 220,000 exhibited signs “where there were instances of possible or potential access.” All told, as many as 330,000 taxpayers may have had their personal data compromised in the data breach.
Those taxpayers aren’t taking the blow sitting down, and two have now launched a class action lawsuit against the IRS. The litigation alleges that because of the agency’s lax cyber security protections and inability to update those safeguards in time, hackers were able to abscond with $50 million in fraudulent tax returns filed with the victims’ information.
“As custodians of taxpayer information, the IRS has failed in its obligation to protect the personal and sensitive information of hundreds of thousands of taxpayers, their spouses and families,” the plaintiffs’ lawyer, Richard McCune, said in an official statement. “Furthermore, the breach and theft occurred after repeated warnings over the course of several years regarding the lax computer security system.
The lawsuit also accuses the IRS of knowing “that its systems would be a target for cybercriminals” but “deliberately and intentionally chose not to implement [the] appropriate security.”
Not only do data breaches open the doors for potentially years of legal action, but they also place victims at heightened risks of ID theft and fraud. This is especially pronounced during tax season, when Americans are sending out valuable pieces of personal information — and entrusting the IRS and third-parties like TurboTax to protect that information — that could be potentially hacked and used to steal the tax refund that they were entitled to receiving.
You can’t always know how well other parties will protect your personal data, but you can take measures into your own hands with a credit monitoring services. Although they can’t provide complete identity theft protection, they can alert you to certain activity on your credit files that may be evidence of fraud occurring under your name.